Vice Society: A tale of victim data exfiltration via PowerShell, aka stealing off the land


Threat actors (TAs) using built-in data exfiltration methods like LOLBAS negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor.

For example, PS scripting is often used within a typical Windows environment. When TAs want to hide in plain sight, PS code is often a go-to. Early in 2023, the Unit 42 IR team found the Vice Society ransomware gang using a script named w1.ps1 to exfiltrate data from a victim network.

Read more…
Source: Palo Alto Unit 42